On the thermostat main screen, hit Help then About. It’ll show you there.
Looks like I’m on version 3.0
I have Software versions from 2.1, 2.2.2, 3.0, 4.0, 4.0.1, 4.0.3
3.0 will need to load up again and will try it my new test T-stat that comes tomorrow found it on Craigslist for 100.00 let the FUN begin 
4.0 SSH is open but can get raptor21 to login
4.0.1 has SSH turned off
4.0.3 has the hard coded users removed don’t recall if SSH is open or not
Have you tried nmap against it? Maybe 4.0.2 has sshd on a non-standard port?
I was getting this error to, it uses and old KexAlgorithms key. you need to add “diffie-hellman-group1-sha1” to openSSH config
$ ssh -v raptor21@10.0.1.46
…
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
Unable to negotiate with 10.0.1.46: no matching key exchange method
found. Their offer: diffie-hellman-group1-sha1
Any one have 4.0.2 that i can try ? But currently i can’t get the password Cold,2100RRRRR to work on 4.0
In 4.0.2, on my new XL950 which I just had installed yesterday, port 22/SSH is not open. Port 9999 is open and looks like a text automation interface (accessible over telnet), and gives some sort of challenge with an encoded or encrypted string:
1::evChallenge(0,“7C86E1D1AB0C0A790F5DA8DAC9D7671CCE86254F”);
Other ports also appear to be open:
9037
39605
50871
If you telnet to port 9037, it dumps out the wifi network and key in plain text. So, not particularly secure, although I suppose you do have to be on the network with it already to obtain this information.
I’m curious about this port 9999 process and what lives on it and what it is expecting. Is it a custom binary? A listener to a script or Java process that can be reversed so that we can communicate with it? Maybe tinkering in an isolated environment with the upgrade file will yield some clues.
hjk
[quote=“micro98, post:63, topic:168631”]I have Software versions from 2.1, 2.2.2, 3.0, 4.0, 4.0.1, 4.0.3
3.0 will need to load up again and will try it my new test T-stat that comes tomorrow found it on Craigslist for 100.00 let the FUN begin
4.0 SSH is open but can get raptor21 to login
4.0.1 has SSH turned off
4.0.3 has the hard coded users removed don’t recall if SSH is open or not[/quote]
Just received my new T-stat, came with version 1.0 have not had a chance to upgrade it yet. Password is still not working, with the raptor21 account.
[quote=“hjkim, post:67, topic:168631”]In 4.0.2, on my new XL950 which I just had installed yesterday, port 22/SSH is not open. Port 9999 is open and looks like a text automation interface (accessible over telnet), and gives some sort of challenge with an encoded or encrypted string:
1::evChallenge(0,“7C86E1D1AB0C0A790F5DA8DAC9D7671CCE86254F”);
Other ports also appear to be open:
9037
39605
50871
If you telnet to port 9037, it dumps out the wifi network and key in plain text. So, not particularly secure, although I suppose you do have to be on the network with it already to obtain this information.
I’m curious about this port 9999 process and what lives on it and what it is expecting. Is it a custom binary? A listener to a script or Java process that can be reversed so that we can communicate with it? Maybe tinkering in an isolated environment with the upgrade file will yield some clues.
hjk
—[/quote]
This “1::evChallenge(0,“7C86E1D1AB0C0A790F5DA8DAC9D7671CCE86254F”)”, looks like the line that is in the begging of the log file that is saved when you enabling logging in the setup menu. I use that to try to get some responses. from telnetting to port 9999
Have seen some interesting responses but nothing useful, figuring out how to construct is key.
1::login(a,a,a);
1::evError(LGIN,“”,“login attempt failed”);
1::subscribe(0,0);
1::evError(PERM,“1::subscribe(0,0);”,“Permission denied.”);
1::subscribe(TRUE);
1::evError(XOID,“1::subscribe(TRUE);”,“No such object.”);
1.9.1::evSalt(“01/01/2010”,“06:27:03”);
1::evError(XMTH,“1.9.1::evSalt(“01/01/2010”,“06:27:03”);”,“No such operation.”);
Constrants.rb show this services starting up on port 9999
Trying to make some scene, of these Ruby SMILCommanderService.rb and SMILService.rb
Well, I spent some time this weekend working through the Ruby scripts as well, and see some potential places to look. I also attempted to do some disassembly on the SCC binary, which appears to be the brain of the operation.
My main goal is to control the unit remotely, so if I can use telnet or HTTP/S to issue commands and get status, then I’m fine with that.
Another thread I may pursue is man-in-the-middle (using SSL decryption) to view the JSON or other HTTP items going back and forth, even if that means signing up for Nexia web-based management. Just need to convince my Tomato router to forward requests to my SSL-decrypting Fiddler proxy.
hjk
Looking at some logs i noticed at the same time that I went into settings ~> Security ~> system password ~> Change password. the following happened
Jun 7 01:09:04 auth.info passwd: Password for raptor21 changed by root Jun 7 01:09:04 user.notice XCC: Changing password for raptor21 Jun 7 01:09:04 user.notice XCC: Password for raptor21 changed by root Jun 7 01:09:04 auth.info passwd: Password for root changed by root Jun 7 01:09:04 user.notice XCC: Changing password for root Jun 7 01:09:04 user.notice XCC: Password for root changed by rootyou can go into settings ~> Security ~> system password ~> Display password. To see the current password. it might say *Default password*" and can not be displayed.
What is displayed in this field add RRRRR for the raptor21 account or AAAAA for the root account
Mine had my wifi password in this field my have set it a long time ago… I just Factory defaulted my T-stat now the default password is working on 4.0 this is why i could not get it working before.
so on boot it is loading a Xml config file this is why we were all seeing it change on boot.
Trane Is No longer providing Firmware updated to the Consumer, All update now need to be done by the dealer. :
Bump
Hey folks, I’ve been searching for ways to interface to my “Trane” 950 thermostat (mine is actually branded “American Standard”, but I understand that’s just a branding thing), and stumbled across this thread, which seems to have been abandoned.
Anyone still looking into this? I’m a software developer, and am finding myself with some time on my hands, and curiosity about this device.
Given Trane’s sketchy track record on device security (hardcoded passwords, really?), I’m not going to let this thing talk to the Internet, so Nexia, and all other online services are out.
I’d like to at least be able to get current status from the device, though.
At a minimum, I would love to understand the format of the SD card log file, so I can get statistics, e.g., external temperature, internal temp setpoint and actual temp, and humidity.
If we figure out nothing but the file format, we could use a WiFi SD card, configure the thermostat to log, and have an external machine periodically pull log files off the WiFi SD card directly. Yes, that’s a crass hack, but reading back in this thread, that seems to be an option we might have to go for… I’d want to keep a careful eye on the temperature of the WiFi SD card – if it heats up enough, it might affect the thermostat’s internal temp sensor, and would totally crank the A/C in the summer, and back off the heating in winter!
OK, if anyone is still around, post a response!
there’s the code, API, etc for smartthings… should be transposable to us with approrpiate LUUP syntax… if you could do this, it would be awesome!!!
Can someone send me the update files for the 950 thermostat? I’m stuck on 1.0 and can’t connect to nexia without updating to at least 2.1.
Here is a link
Download Latest Version 4.0.1 Software for the ComfortLink? II XL950 Control
https://www.trane.com/content/dam/Trane/residential/downloads/rsup_143756742001.tar.gz
Is the latest firmware for the Comfortlink II XL950 version 4.0.3? If not, what is the latest and what is the rsup_ #?
I found this link for the 4.0.3 firmware:
https://www.trane.com/content/dam/Trane/residential/downloads/rsup_145007844901.tar.gz
1 Like
Has there been an update firmware for the Trane ComfortLink II XL950 Control sense 2019?